advanced sip topics - packetizer · pdf file• the video middleware working group...
TRANSCRIPT
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
Advanced SIP topicsH.350: What it is, what it does, why you want it…
20th Apan Meeting, Taipei, TaiwanAugust 2005
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
The Problem
• User management and information management is a big issue, once the deployment scales up
– Need for new Gatekeeper/SIP Proxy entries– Update of white pages– Reliable billing?– Get the ‘working’ configuration for an endpoint
• Resource discovery– How do I find users and their endpoints?
• Is it an H.323 endpoint, a SIP endpoint or something else?
– How do I find MCUs and Gateways?
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
The Problem
• Redundant information and processes if:
– A user has entries in more than one directory
• Confuses the user and external parties who need some information
– Who is the right contact?• Billing?
UniversityDirectory
SIPDirectory
H.323Directory
IMDirectory
UniversityWhite Pages
SIPWhite Pages
H.323White Pages
IMWhite Pages
Enterprise ToolsEmail, Billing,Data storage,
VPN,...
ToolsBilling,
Authorization,...
ToolsBilling,
Authorization,...
ToolsBilling,
Authorization,...
SIP Server H.323 Gatekeeper IM Server
VoIP Admin VC Admin Messaging AdminLDAP Admin
Users
My IP address has changed. Who should I contact?I want to call X. Is X on SIP or H.323? What is the right directory?
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
The Solution
• ONLY one ‘directory’ stores all the information, credentials, etc.
• Information is consistent and available → no confusion: where to find what
– Canonical information• Impossible to handle
several directories, especially for large scale environments
• No redundancy of tools necessary
– Billing– …
University(Enterprise)Directory
H.350 Directory
White Pages
SIP Server
H.323 Gatekeeper
IM Server
LDAP
Enterprise ToolsBilling,
Authorization, Data storage,
VPN,...
Enterprise Directory Admin
User
My IP address has changed. I call the Enterprise Directory Admin.I want to call X. Is X on SIP or H.323? Ok, O look in the White Pages and use click to dial (if supported).
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
The Solution
• Enterprise Directory– Many Universities/Organizations/Institutions already have a
centralized LDAP server– Stores information about people associated with institutions– Just ONE list → duplicate entries resolved– Advantages
• Correct and current• Single place to disable account• Single place to change a password• …
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
The Solution
• LDAP (Lightweight Directory Access Protocol)• Protocol describes message to access data• Standarzied data model (schemas) for data naming and
organization for global unique naming• Derived from OSI X.500• LDAP V.3 (IETF RFC3377) includes security enhancements
(SSL, TLS, …)• Centralized name space and identity management• Flexible and fast (although specialized)• Can be used for White Pages, Authentication, User/Account
management, Endpoint management
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
The Solution
• Advantages of a standardized identity management–Vendor platform can be changed → Multi vendor
service–Integration of more than just audio/video (e.g.
email, web)• Leverage existing identity management tools
–LDAP tools are stable, well developed (due to its ‘long’ existence, flexible, open (many OpenSource products))
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
History of H.350
• The Video Middleware working group ‘vidmid-vc’developed the idea for directory enabled audio/video
• The project was funded by an NSF grant given to the University of Alabama and partners such as CGU, SURFnet, University of North-Carolina Chapel Hill, and RADVISION
• The architecture was proposed to the ITU-T, accepted and ratified as H.350 standard in August 2003
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
Why H.350?
• Today’s audio and video applications lack the ability of retrieving their configuration, phonebook, etc. automatically
– All endpoints need to know an initial IP address of a Gatekeeper, Proxy or Gateway
• Unreliable authentication– Who is calling me?
• No authorization– (Usually) all user have the same rights
• No security– This has been improved over the last year by introducing
AES/DES encryption to the endpoints
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
Why H.350?
• H.350 was designed to support– Association of endpoints to users– Local/global White Page including search functionality– Centralized data storage rather than distributed redundant
data distribution over several servers• What if a user has a H.323 endpoint, a SIP phone and
an IM client?– Auto-load of the configuration for the endpoint– High scalability– ‘Lightweight’ impact on enterprise directory
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
The Architecture
Enterprise Directory (People)
H.350 Directory (multimedia
devices)
White Pages
SIP Proxy
H.323 Gatekeeper
SIP Client
H.323 Terminal
Existing Identity Mngt. Tool
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
What is H.350?
• H.350 is– An LDAP scheme– Standardized way to store information– Basic elements are defined– Extensible and scalable
• It works well for large networks, e.g. 20000+ user• Proprietary elements can be included
– Multi-protocol enabled• SIP• H.323• H.320• Generic Protocols (mpeg2 en/decoder)• …
• H.350 is not– A protocol– Just for H-Series protocols
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
What is H.350?
• H.350 – Directory services architecture for multimedia conferencing
– Base architecture• H.350.1 – Directory services architecture for H.323• H.350.2 – Directory services architecture for H.235• H.350.3 – Directory services architecture for H.320• H.350.4 – Directory services architecture for SIP• H.350.5 – Directory services architecture for non-standard
protocols• H.350.6 – Directory services architecture for call forwarding and
preferences• H.350.7 – Directory services architecture for Presence
information (XMPP)• H.350 Implementers Guide
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
H.350 and Presence
• “sip.edu (an Internet2 project) uses presence and didn’t think much of H.350….until they scaled up their service and decided configuration storage and auto-configuration were ‘good things’” E. Verharen, SURFnet
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How does H.350 work?
• Each user in the enterprise directory consists of several attributes– inetOrgPerson (enhanced by eduperson.schema)
• Name• Address• Telephone• Email• Organization• Organization Unit
– RFC1274• userPassword
• Using H.350, the existing user gets a new attribute, the commURI– commURI is a pointer to a structure in the commObject (→
next slide)
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How does H.350 work?
• Enterprise Directory– inetOrgPerson
• Name (dn)• Address• Telefphone• Email• Organization• Organizational unit• commURI
– RFC• userPassword
• H.350 Directory– commObject
• commUniqueID• commOwner• commPrivate
– SIPidentity• SIPIdentitySIPURI• SIPIdentityRegistrarAddre
ss• SIPIdentityemailProxyAdd
ress• SIPIdentityAddress• SIPIdentityPassword• SIPIdentityUsername• SIPIdentityServiceLevelThey reference each other
using ‘pointer’
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How does H.350 work?
• The relation commURI ↔ commUniqueID is highly flexible, because a user can have multiple commURIs’
– One user (account) : multiple devices
• User 1• Name• Address• Email• …• commURI1• commURI2
• commObject• commOwner• commUniqueID• …• h323Identityattributes
• commObject• commOwner• commUniqueID• …• SIPIdentityattributes
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How does H.350 work?
• The architecture and the use of LDAP makes H.350 ready for a flexible deployment
–Enterprise and H.350 directory can be on the same LDAP, but in different branches (e.g. Flinders University, Videnet)
–Enterprise and H.350 directory can be two different administered domains (AARNet, UAB)
• Enterprise directory needs just the commURI
ldap://<ip|dns-name>/<ldapDN>??sub(commUniqueID=X)>
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How does H.350 work?
• Two different domains
• One LDAP domain, but two different branches
Flinders University
Ou=people,dc=flinders,dc=edu,dc=
au
Ou=vc,dc=flinders,dc=edu,dc=au
AARNet H.350 Directory
Ou=vcs,dc=h323,dc=aarnet,dc=edu
,dc=au
AARNet staff durectory
Ou=office,dc=yarralumla,dc=aarnet,dc=edu,dc
=au
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How does H.350 work?
• Call forwarding and preferences (H.350.6)–The URI points to a forwarding address–A label specifies the type of forwarding and the
waiting time until the call is forwarded–Possible types of forwards
• A different number• mailto:• A web form• …
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How does H.350 work?
• What about rooms?–The problem with room is, who should
authenticate?• The device• The conference moderator• Everyone in the conference• All of the above
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How is H.350 currently used?
Phonebook UAB, J. Gemmillhttp://www.uab.edu/phonebook
Enterprise Directory
H.323 Directory Service
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How is H.350 currently used?
• White Pages at ‘My Videnet’• Search functionality
– A country wide search in Australia results in 16 unique users
• University of Queensland
• AARNet• University of Newcastle• Charles Darwin
University• Swinburne University
of Technology• …
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
How is H.350 currently used?
• Northwestern University–Large SIP client network–SER SIP Server (iptel.org)
• Large company in Germany with 200+ VConendpoints and an MXM Gatekeeper
• AARNet–Deployment is on the way (I hope you join)–Country GK will use H.350 for endpoint
authentication (~Q3/2005)
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
What are the advantages of H.350?
• H.350 enabled endpoints can– Lookup and retrieve their correct working configuration →
Reduces the necessary user support– It does not matter what protocol (H.320/H.323/SIP/genereic)
you use, and the vendor does not matter either, you always have the necessary data available in a well managed way
– White Page search (click to dial if supported), retrieve phonebook, etc.
• If the endpoint also/only supports H.235, it can all the above mentioned
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
What are the advantages of H.350?
• A H.350 enabled Callserver can–Retrieve information from a canonical store
• Solve manual input problem• Conversion to propriety format can be done on
the fly–Use a XIdentityServiceLevel to provide different
levels of authorization (no international calls, no use of PSTN, etc.)
–Scale up Voice/Video operations
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
What Hardware/Software currently supports H.350?
• The H.350 schema are currently available for– OpenLDAP– Sun iPlanet– Novell LDAP– Microsoft Active Directory
• H.350 aware H.323 systems– Radvision Endpoint and Gatekeeper– GnuGK → I am going to talk about this later– VCon clients and MXM Gatekeeper– Aethra systems
• H.350 aware SIP systems– SIP user agent CGU (it’s not available for download anymore)– SIP Proxy Server HCL– Northwestern University uses a Perl Script to interface between SER and
H.350• H.350 aware infrastructure management systems
– Tandberg TMS 8.0
Author: K. Stoeckigt ([email protected])©Copyright AARNet Pty Ltd
Resources about H.350
• ViDe H.350 cookbook (Current version 2.0)– Available in print, pdf and html– Contains detailed descriptions of H.350 as well as several configuration
samples and tools
A VERY VALUABLE SOURCE
• J. Gemmill, “H.323 and Approaches to Authentication”, http://www.dpo.uab.edu/%7Ejgemmill/Presentations/Year_2002/Internet2AUthNZ2002.pdf
• J. Gemmill, “Secure Videoconferencing”, http://www.vide.net/conferences/spr2003/presentations/day_one/jill_gemmill
• E. Verharen, “European VC services and GDS and H.350”http://www.carnet.hr/CUC/tnc-cuc2003/program/slides/s6a1.pdf
• K. Stoeckigt, E. Verharen, Slides from the Real-time communication workshop, 19th Apan Meeting, http://www.rzg.mpg.de/vc/docs/apan/
• K. Stoeckigt, “H.350: Everything OpenSource and solving the H.323 Firewall problem”, Internet2 Member Meeting, Arlington, USA, http://www.internet2.edu/